LDAP authentication issue

[NMFSTeam]

I don't have nmap installed, but I do have netcat.

Code: Select all

nc -v ldap-server.example.com 636
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.1.1:636.
^C

[pbroste]

Hello @NMFSTeam

Thanks for following up with the connection results, we see that a connection is established.

I want to go ahead and enable debug so we can get more verbose details on what is going on.

Open the file in vi by executing the following command:

Code: Select all

vi /var/www/html/nagioslogserver/application/helpers/ldap_ad_helper.php

Make the change as per the following example; the line needs to be added to is /var/www/html/nagioslogserver/application/helpers/ldap_ad_helper.php after the create_auth_connection function open curly bracket (line 82).

function create_auth_connection()
{
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$ci =& get_instance();

Please see the following support article which outlines:

https://support.nagios.com/kb/article/active-directory-ldap-troubleshooting-authentication-integration-600.html

Thanks,
Perry

[NMFSTeam]

We have edited the file and added the debugging option. Do we need to restart any services? Which log file should we look at to see the results?

Thank you.

[pbroste]

Hello @NMFSTeam

You can go ahead and bounce the nagios.service (systemctl restart nagios.service) and the log of interest is:

Code: Select all

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log

Thanks,
Perry

[NMFSTeam]

There is no nagios service. I bounced httpd, elasticsearch, and logstash.

Nothing earth shattering in the logs. Here is an excerpt from the access_log:

Code: Select all

10.0.0.5 - - [27/Sep/2021:18:44:29 +0000] "POST /nagioslogserver/login HTTP/1.1" 303 - "http://192.168.2.7/nagioslogserver/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0"
10.0.0.5 - - [27/Sep/2021:18:44:29 +0000] "GET /nagioslogserver/login HTTP/1.1" 200 9183 "http://192.168.2.7/nagioslogserver/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0"

Here is the error_log:

Code: Select all

[Mon Sep 27 07:34:48.008948 2021] [authz_core:error] [pid 46052] [client 192.168.2.10:38412] AH01630: client denied by server configuration: /var/www/html/.htaccess
[Mon Sep 27 07:34:48.021586 2021] [authz_core:error] [pid 46052] [client 192.168.2.10:38412] AH01630: client denied by server configuration: /var/www/html/.htpasswd
[Mon Sep 27 07:34:48.281319 2021] [core:error] [pid 46052] [client 192.168.2.10:38484] AH00126: Invalid URI in request GET /././.. HTTP/1.1
[Mon Sep 27 07:34:48.282112 2021] [core:error] [pid 9943] [client 192.168.2.10:38486] AH00126: Invalid URI in request GET ././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././../../../../../../../../ HTTP/1.1
[Mon Sep 27 18:32:10.842432 2021] [mpm_prefork:notice] [pid 1059] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Sep 27 18:32:14.850688 2021] [suexec:notice] [pid 52007] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Sep 27 18:32:14.892777 2021] [lbmethod_heartbeat:notice] [pid 52007] AH02282: No slotmem from mod_heartmonitor
[Mon Sep 27 18:32:14.913605 2021] [mpm_prefork:notice] [pid 52007] AH00163: Apache/2.4.6 (CentOS) PHP/5.4.16 configured -- resuming normal operations
[Mon Sep 27 18:32:14.913634 2021] [core:notice] [pid 52007] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
cat: /var/run/elasticsearch/elasticsearch.pid: No such file or directory

I'm pretty sure the IP being denied access is our Nessus scanner.

Thanks.

[pbroste]

Hello @NMFSTeam

Please verify that Selinux, AppArmor, or other security applications are preventing Authentication.

Code: Select all

sestatus

Thanks,
Perry

[NMFSTeam]

We are using the Nagios provided OVA to run this server in a VMware vSphere environment. We have not made any changes to the image, except for running updates using the "yum update" command.

I ran the requested command, and it came back showing that SElinux is disabled.

[pbroste]

Hello @@NMFSTeam

Thanks for verifying, I see that in a previous post on this thread we had you check the connection string via 'ldapsearch' and that appears to validate. Next; want to verify the certificate by:

Code: Select all

openssl s_client -showcerts -connect yourldapserverhere:636

Please follow up with results,
Perry

[NMFSTeam]

Results have been sent via PM.

[pbroste]

Hello @NMFSTeam

Thanks for sending the results from openssl connect on port 636 which is good to verify that we are able to connect over port 636 when it comes time to setup authentication from Active Directory/LDAP. Want to also verify 'openssl' over port 443 to make sure that we are not hitting roadblocks there as well.

Code: Select all

openssl s_client -showcerts -connect yournagioslogserveraddresshere:443

To use api to recreate a nagios local admin user (the example is using "someuser") but first, let's verify that all services are looking good and running:

Code: Select all

systemctl status httpd elasticsearch logstash

To create new local admin user:

• Let's get the api key by:

Code: Select all

curl -XGET 'http://localhost:9200/nagioslogserver/user/_search?q=_type:user'

• Then create admin User:

Code: Select all

curl -XPUT 'http://localhost:9200/nagioslogserver/user/99' -d
'{"username":"someuser","password":"c678bcf3b5138b9263a95c44d28097f22c2e028
77193d2c25313478821d45c19","auth_type":"admin","email":"[email protected]","la
nguage":"default","apiaccess":"1","apikey":"enteryourapikeyhere","created":"2015-01-23
10:00:00","created_by":0,"default_dashboard":"/dashboard/elasticsearch/default"}'

Let us know the results,
Perry